Typically, people complain about lawyers holding them to ransom, but sometimes, it’s the other way around. Back in January, the Law Society of British Columbia reported that three law firms in the province had been attacked by a unique form of computer malware. Online thieves from halfway around the world had locked up the files on lawyers’ computers, rendering them inaccessible — and the lawyers where charged a hefty fee to get them back.

Crooks carry out this kind of attack using a category of malicious software called ransomware. It is a growing threat, and in just a few months, the number of attacks on high-value B.C. businesses have grown.

“The Law Society is aware of at least seven instances where law firms were targeted by ransomware,” David Jordan, spokesman for the society, said this month. The society would not reveal the names of the firms involved.

Ransomware infects computers much like any other virus. Victims “catch” it by visiting malicious websites, which they may be fooled into visiting by a spam email. In one case, emails contained phoney FedEx and UPS tracking notices with links that take victims to a site that immediately infects their machines.

Instead of simply stealing passwords or using an infected computer to send spam as many other viruses do, ransomware is particularly devious. It will systematically scramble the files on the victim’s computer, locking them with a digital key to which only the criminal has access.

Victims are then unable to read the files, which could potentially cripple a business, especially if the data is critical to its operation. Once in the snare of the criminal, the victim must make a payment to receive the key, causing the ransomware to automatically unlock the files. It’s a sophisticated form of digital blackmail.

Ransomware has evolved since it first appeared in the 1990s. Initially, it didn’t encrypt files. Instead, it would nag victims with messages claiming to be from the FBI and accusing them of having illegal material on their computers. It would try to scare them into making a payment to avoid prosecution.

Lately, ransomware has become smarter, warned Patrick Nielsen, senior security researcher at anti-malware firm Kaspersky. “Using encryption in malware is a fairly new phenomenon,” he said.

Early versions of file-encrypting ‘crypto-ransomware’ were amateurish, Nielsen recalled. They would make basic mistakes in cryptography, including using a single electronic key to lock up information across all victims’ computers. Since then, they have become more professional. They will typically generate a unique digital key to lock up a single computer’s files, storing it in a massive online database with everyone else’s keys.

Many different strains of ransomware have appeared, including Cryptolocker, CoinVault, and Cryptodefense (which was rebranded as Cryptowall after its authors improved its encryption mechanism). Cryptodefense charges US$500 to restore a victim’s files, and increases the price to US$1,000 if the company fails to pay promptly.

Security software and services firm Symantec estimates that the team behind Cryptodefense earned US $1 million from victims in six months, and the company considers encryption ransomware to be the most effective form of cybercrime in existence.

Symantec’s 2015 Internet Security Threat Report notes, ransomware attacks increased by 113 per cent last year, reaching 8.8 million worldwide. Crypto-ransomware is still a relatively small percentage of total attacks, but it is growing. By the end of last year it accounted for one in 25 of all ransomware attacks, meaning that almost 1,000 computers were being infected each day. The number will have grown since then.

Paysafe is a popular form of online payment for victims of ransomware, as is Western Union. Some criminals even set up a premium number charging an extortionate fee and then order victims to call it. Increasingly, though, criminals are using bitcoin as a quick, anonymous form of payment, said Alexander Rau, Symantec Canada’s national information security strategist.

Should businesses pay when their files are encrypted and held to ransom? Rau says that the default recommendation is not to pay, but that companies will look at it on a case-by-case basis. “If you have information locked up and you have no way to get to it, you may have no other option,” he said. “But who says they can’t go back in and hold you to ransom again?”

Kaspersky struck gold early this spring, when Dutch police came across an online server hosted by cyber criminals that held individual keys for the CoinVault ransomware. The security company used the keys to develop a software tool that can unlock files and delete the CoinVault program from some infected machines.

Security companies may win discrete battles, but the war continues. Kaspersky is now seeing ransomware targeting mobile users, Nielsen said. Android is a particular problem because of the availability of different app stores besides Google’s, he warned. Apps downloaded from these stores can be used to install ransomware that will lock up a device, and also encrypt everything on the phone’s memory card.

Ideally, companies will take steps to protect their data before being infected, said the Law Society’s Jordan. “Regular backups to servers or storage media that are not continually connected to the network should relieve lawyers from having to consider paying to retrieve their own files,” he said.

The same goes for other companies: regular data backups can help avert disaster should ransomware criminals strike. In the world of electronic documents, as everywhere else, a stitch in time saves nine.